Wireless Access

Hello, i'm trying to configure a secondary zone cluster of 2 controller in a DMZ network. Here i have 3 vlan 1300 (mgmt ad DG) 1305 and 1306 as 2 vlans for 2 different ssid.

Before controller i have a firewall that do not work as dhcp helper so i need to configure it on my vlan interfaces. DHCP is inside intranet.

Configured on vlan interface 1305, clients do not receive ip because of dhcp answer come back on vlan 1300 and firewall block as spoofing.

If i put a static route on vlan 1305  this works but i cannot do the same on 1306.

Is there any hint or examlple or docs for configuration where i can undertand where i am wrong?

Hi,

Configure a IP interface on your switch for each VLAN. Under the IP interface send a DHCP-Helper to your firewall. 

Make some ACL rules on the controller to protect the IP addresses ;).

Hello MArcel, thanks for your answer, we see that firewall block dhcp answer as spoofing, discover phase send from one vlan and answer go back to gateway vlan.

Now we remove antispoofing on firewall gateway vlan and all works, but is there any alternative solution on controller?

an  8 10:00:53  dhcpdwrap[3743]: <202534> <3743> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1306: DISCOVER 66:d0:b2:3c:fe:8e Transaction ID:0x7faa7c18 Options 35:01 3d:0166d0b23cfe8e 39:05dc 3c:616e64726f69642d646863702d3130 0c:696e736563757265 37:0103060f1a1c333a3b2b

The DCHP request is an layer 2 broadcast packet. When your DHCP server is in another VLAN (broadcast domain) then you need an IP interface with a IP-Helper (layer3) somewhere in your broadcast domain to reach the DHCP server in the other broadcast domain.

If you cant set the helper at the firewall then this is the only method i known. 

IT depends on your firewall and needs but maybe you can use DHCP on your firewall.

Helper on firewall is the simple solution but customer have more than 1000 vlan on Checkpoint firewall and he prefer do not do this. This because Cisco WLC work without issue on this and ask us to do the same.

Use the cisco WLC the same client vlan and where does it have its ip-helper in the broadcast domain, at the wlc controller, edge or core?

On CIsco WLC Ip Helper is on each vlan interface and each wlan is like have single gateway. Imagine on Cisco WLC have every vlan interface like a separate virtual enviroment where every vlan interfce have his own default gateway. 

I take screenshot of how it's configured on working configuration on Cisco WLC. I have to replicate the same.

This configuration is on every vlan interface and on this controller we have 83 interfaces.